← All articles

Polyfill.io resurfaces, injecting fake login prompts on Toshiba and Muji sites

Toshiba and Muji have warned website visitors that suspicious sign-in screens appearing on their sites could harvest credentials, advising anyone who entered login data to change their passwords. The pop-ups were generated by the external polyfill[.]io service, which injected malicious code via its CDN after the domain was bought by a Chinese entity in 2024 - an incident that affected more than 100,000 websites. Japanese outlets report Zojirushi, FiNC Technologies, Ishiyaku Publishers, and Hobonichi were also hit, and a researcher observed Samsung Smart TVs and sites showing the prompt on June 1. Polyfill is a JavaScript compatibility CDN for legacy browsers; affected sites should remove all polyfill[.]io references immediately.

Check
Grep your web properties and third-party tags for any references to polyfill[.]io (scripts, CDN links, GTM containers). Check Samsung/IoT and legacy-browser-support code paths. Review recent customer credential-reset reports.
Affected
Any website still loading scripts from polyfill[.]io - the CDN compromised in 2024 and now serving credential-harvesting login prompts. Toshiba, Muji, Samsung Smart TVs, and several Japanese brands were hit.
Fix
Remove all polyfill[.]io references immediately and replace with a trusted fork (e.g. Cloudflare or Fastly mirrors). Force-reset credentials for any users who may have entered them into injected prompts.